OX Security research: When an organization is at risk for dependency confusion attacks, 73% of its assets are vulnerable

The research, which looked at over 54,000 repositories across numerous sectors and organizations of various sizes, also revealed that the number of users does not indicate better security

TEL AVIV, Israel and BOSTON, Aug. 9, 2023 /PRNewswire/ -- New research from OX Security has found that almost all applications with more than 1B users are currently using dependencies which are vulnerable to dependency confusion attacks. Moreover, for organizations at risk, 73% of their assets are exposed to dependency confusion attacks, shedding new light on the devastating impact this type of attack can have on an organization.

The research, which looked at over 54,000 repositories, focused on both midsize and large organizations (1k+, 8k+, 80k+ employees) across a wide range of sectors, including finance, gaming, technology, and media. Risk of dependency confusion attacks was found across all sectors and organization sizes examined. 

A dependency confusion attack is when malicious actors upload a software package with the same name as a legitimate one to a public package repository in order to trick developers into unknowingly using a malicious version of the software. This can lead to severe consequences, as developers unwittingly introduce vulnerable or malicious code into their projects, compromising their security and integrity.

Dependency confusion attacks are highly dangerous because they often bypass traditional security measures, making them difficult to detect and defend against. They can potentially affect a large number of users and organizations reliant on the compromised dependencies, with one recent major example taking place in December 2022, when the PyTorch open source software supply chain was compromised.

Software companies are often particularly targeted for dependency confusion attacks because while the company thinks a package name is safe in a private registry, hijackers can still find the package name on package hosting services, public script files, and leaked internal paths.

"These findings of our latest research are deeply disturbing, as these types of attacks not only compromise the integrity and security of organizational assets, but they potentially impact those organizations' employees and users globally. Moreover, the fact that when an organization is at risk, a staggering 73% of their assets are vulnerable, really sheds light on just how exposed many organizations regardless of size or industry really are," said OX Security CEO and Co-Founder Neatsun Ziv.

ABOUT OX SECURITY

 At OX Security, we believe that security should be an integral part of the software development process, not an afterthought. Founded by Neatsun Ziv and Lion Arzi, two former Check Point executives, OX Security is the first and only platform to scan the entire software supply chain - from code to cloud to code - eliminating any blind spots and delivering complete visibility, context, prioritization of security issues. All this from a single pane of glass. Through a combination of best practices from risk management and cybersecurity and a developer-centric user experience, OX makes software supply chain security processes effortless for security teams to manage and easy for developers to adopt.

For more information visit www.ox.security and follow OX Security on LinkedIn.

SOURCE Ox Security